CVE-2016-3761

Vulnerability

In NfcService.java within the NFC component of Android 4.x before 4.4.4, 5.0.x before 5.0.2, 5.1.x before 5.1.1, and 6.x before 2016-07-01, the setForegroundDispatch method does not verify that the caller is in the foreground [1][2]. This allows a crafted background application to call the method and potentially obtain sensitive information about the foreground application [1]. The vulnerability is identified as internal bug 28300969 [1][2].

Exploitation

An attacker needs to install a malicious background application on the device. The background application can invoke setForegroundDispatch without proper foreground verification, enabling it to intercept or observe data intended only for the foreground application [1][2]. No additional permissions beyond normal app capabilities are required for the attack.

Impact

Successful exploitation allows the background application to obtain sensitive information about the foreground application, potentially including app identity or other details that should be restricted [1]. This represents a confidentiality breach, though the exact scope of leaked data depends on the foreground application's behavior.

Mitigation

The issue was fixed in the Android security bulletin for July 2016 [1]. The fix, introduced in commit 9ea802b5456a36f1115549b645b65c791eff3c2c, adds a check to verify that the calling process is in the foreground before allowing setForegroundDispatch [2]. Users should apply the Android security update dated 2016-07-01 or later. No workaround is available without updating.